Laptop Displaying the GigaOm Research Portal

Get your Free GigaOm account today.

Access complimentary GigaOm content by signing up for a FREE GigaOm account today — or upgrade to premium for full access to the GigaOm research catalog. Join now and uncover what you’ve been missing!

Key Criteria for Evaluating Penetration Testing as a Service Solutionsv1.0

An Evaluation Guide for Technology Decision Makers

Table of Contents

  1. Summary
  2. Penetration Testing as a Service Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Chris Ray

1. Summary

Penetration testing has long been a technique used by security teams to find vulnerabilities in their systems and applications, enabling them to improve practical security outcomes and meet regulatory requirements. The value derived from penetration testing is significant, illuminating previously unknown weaknesses and granting security teams the ability to shore up defenses.

A legacy penetration testing (pen test) approach does, however, have some challenges. Legacy pen tests often leverage the expertise of just one or two penetration testers (pen testers), which can limit the type or overall quality of the pen test. The limited pool of pen testers available at most legacy pen-testing service providers means that scheduling can often require weeks or months of lead time. Moreover, it can be several weeks before the report containing all of the findings from the pen test is ready for delivery.

Penetration testing as a service (PTaaS) builds on the efficacy of penetration testing methods and adds modern software as a service (SaaS)-like features, such as an interface that clients access to review unified findings (potentially in real time) and directly communicate with pen testers, standardized testing methods, and integrations with other technologies.

While pen testing is quite mature, the PTaaS space is young. For this reason, the definition of PTaaS—and PTaaS solutions—will likely evolve as the space matures over the next few years. This could take the form of additional services being integrated, such as attack surface management (ASM) or continuous vulnerability management (CVM). Both of these services align quite well with PTaaS objectives.

This GigaOm Key Criteria report details the criteria and evaluation metrics for selecting an effective PTaaS solution. The companion GigaOm Radar report identifies vendors and products that excel in those criteria and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading PTaaS offerings, and help decision-makers evaluate these platforms so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.